Escolar Documentos
Profissional Documentos
Cultura Documentos
-t
-t
-t
-t
mangle
mangle
mangle
mangle
-N
-A
-A
-A
DIVERT
PREROUTING -p tcpo -m socket -j DIVERT
DIVERT -j MARK --set-xmark 0x1/0xffffffff
DIVERT -j ACCEPT
the best if the second rule is before using the TPROXY target.
3. Initiating connections with a foreign address as a source
Similarly to the case outlined above, it is sometimes necessary to be
able to initiate a connection with a foreign IP address as a source.
Imagine the active FTP case when the FTP client listens for connections
with source address equal to the server. Another example: a webserver
in your DMZ which does access control based on client IP address. If
the proxy could not initiate connections with foreign IP address, the
webserver would see the inner IP address of the firewall itself.
In Linux 2.2 this was accomplished by bind()-ing to a foreign address
prior calling connect(), and it worked. In this tproxy patch it is done
somewhat similar to the case 2 outlined above.
* the proxy calls setsockopt with IP_TRANSPARENT
* the proxy bind to a foreign address
* the tproxy calls connect()
The iptables rules with the socket match are also required here.
How to use it?
-------------The following use-case assumes a transparent proxy listening on port
50080 and any ip address (0.0.0.0).
First, set up the routing rules with iproute2:
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Or, if you want to use packet marking for anything else, the least
significant bit is enough for transparent proxying.
ip rule add fwmark 0x1/0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
Note that this latter example is only working with newer versions of
iproute2.
For supporting foreign address bind, the socket match is required with
packet marking:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
# DIVERT chain: mark packets and accept
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
The last rule is for diverting traffic to the proxy:
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
--tproxy-mark 0x1/0x1 --on-port 50080
If it is a Squid-3 proxy, in /etc/squid/squid.conf the following
rule is necessary for transparent proxying:
http_port 50080 tproxy transparent
Then set up the ACL rules according to your local policy.